Re: [mod-security-users] ICAP-Interface / Apache independency

Florian S. wrote:
> Hi everyone,
>
> I read a lot of the new modularity in modsec 2.x and approaches of
> including it in other environments than apache. But I am not aware of
> any productive solutions to directly include it into other webservers.
ModSecurity is currently tied to Apache. With ModSecurity 3, I plan on
decoupling this so that it can be ported to other applications. Apache
would still be the primary target, however.
> I am now thinking of starting a project that allows the usage of
> mod-security with eg. ICAP.
>
> The first step would be reducing dependencies to apache, APR etc, so
> that I am able to build it as a standalone program with easy I/O. After
> that, the modsec-ICAP-server would not be much effort.
You would not be able to remove APR ties without a full rewrite.
However, I have done much of the work in spliting out the Apache httpd
dependencies already. However there is still a lot of work to do.
See this branch of code:
http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/experimental/3.0-testing/
>
> My first approaches would result in some dirty code-hacks, what is not
> very satisfying.
I agree.
> My Questions:
> - Does that make sense?
Yes.
> - Is there any community that would be interested in that?
I am sure there would. But better to make the interface to ModSecurity
generic enough to support pretty much any app.
> - How to reduce dependencies?
The biggest tie is the configuration mechanism. The Apache httpd server
is used to configure ModSecurity, so the config mechanism needs to be
re-written. The other big tie is that Apache httpd does the HTTP
parsing, so ModSecurity must parse the HTTP, or we must rely on whatever
hosts ModSecurity to do the HTTP parsing (the later was planned for
ModSecurity 3).
> - Is there a suitable interface in the code?
No. But one is being planned for ModSecurity 3. If you have ideas into
the interface, please send me a note.
>
>
> Regards,
> Florian
>
Thanks for your interest.
-B
--
Brian Rectanus
Breach Security

Thread view

Hi everyone,
I read a lot of the new modularity in modsec 2.x and approaches of
including it in other environments than apache. But I am not aware of
any productive solutions to directly include it into other webservers.
I am now thinking of starting a project that allows the usage of
mod-security with eg. ICAP.
The first step would be reducing dependencies to apache, APR etc, so
that I am able to build it as a standalone program with easy I/O. After
that, the modsec-ICAP-server would not be much effort.
My first approaches would result in some dirty code-hacks, what is not
very satisfying.
My Questions:
- Does that make sense?
- Is there any community that would be interested in that?
- How to reduce dependencies?
- Is there a suitable interface in the code?
Regards,
Florian

Florian S. wrote:
> Hi everyone,
>
> I read a lot of the new modularity in modsec 2.x and approaches of
> including it in other environments than apache. But I am not aware of
> any productive solutions to directly include it into other webservers.
ModSecurity is currently tied to Apache. With ModSecurity 3, I plan on
decoupling this so that it can be ported to other applications. Apache
would still be the primary target, however.
> I am now thinking of starting a project that allows the usage of
> mod-security with eg. ICAP.
>
> The first step would be reducing dependencies to apache, APR etc, so
> that I am able to build it as a standalone program with easy I/O. After
> that, the modsec-ICAP-server would not be much effort.
You would not be able to remove APR ties without a full rewrite.
However, I have done much of the work in spliting out the Apache httpd
dependencies already. However there is still a lot of work to do.
See this branch of code:
http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/experimental/3.0-testing/
>
> My first approaches would result in some dirty code-hacks, what is not
> very satisfying.
I agree.
> My Questions:
> - Does that make sense?
Yes.
> - Is there any community that would be interested in that?
I am sure there would. But better to make the interface to ModSecurity
generic enough to support pretty much any app.
> - How to reduce dependencies?
The biggest tie is the configuration mechanism. The Apache httpd server
is used to configure ModSecurity, so the config mechanism needs to be
re-written. The other big tie is that Apache httpd does the HTTP
parsing, so ModSecurity must parse the HTTP, or we must rely on whatever
hosts ModSecurity to do the HTTP parsing (the later was planned for
ModSecurity 3).
> - Is there a suitable interface in the code?
No. But one is being planned for ModSecurity 3. If you have ideas into
the interface, please send me a note.
>
>
> Regards,
> Florian
>
Thanks for your interest.
-B
--
Brian Rectanus
Breach Security